Posted
by
timothy
on Sunday November 09, 2003 @06:15PM
from the painting-with-machine-gun dept.

Roland Piquepaille writes "For the last two months, an eternity in Internet time, I was unable to reach -- and to contribute to -- Smart Mobs, the collective blogging effort around the next social revolution initiated by Howard Rheingold. Why that? Because an unknown customer of Verio decided it was a spamming site and asked the company to blacklist the site. Verio complied -- probably without even checking it -- and my problems started. It took me dozens of e-mails and phone calls and two visits to the headquarters of my french ISP, Noos, to fix the situation. More about this horror story is available here."

I use blacklists to mark probable spam, but still generally see it. Recently, some people had reported an email from GoDaddy (domain registrar) that was only sent to customers, and it was asking them to very information. If, say, my ISP was blocking email from them based on this, I'd never see it. ISP's should err on the side of caution, let users take more risks if they personally desire.

I don't necessarily think it's astroturfing; it's a legitimate problem, and will continue to happen. OTOH, there are possible solutions, not only to this problem, but others as well. DBP, anyone? [jpj.net]

This sounds more like a complaint about the potential for human error, rather than a complaint about the idea or technology itself.

Rather silly, Slashdot. I suppose next we will have an article saying how security is evil, because some LUser gave his password to a hacker who phoned in posing as tech support. Or even that DNS is evil, because someone can hijack your listing (which was posted a few days ago...)

The current "boo-hoo" over blacklists can be mostly summed up by one word: SPEWS.

They operate on the "nuclear bomb" method: list spammers, plus anyone using a "spam-friendly" mailserver (a definition that can be stretched to cover almost anyone) or anyone who is simply "suspicious." Oh, and you might also be listed if your new IP block was once used by a spammer. Don't worry, though. You can just wait a few weeks and lose massive amounts of buisiness because many customers can't recieve email from you and have no idea why - they just think you aren't responding. Or you can go onto NANAE and post a delist request, which will get you nothing but "Whiner! Eat your SPEWS, it's good for you!"

To be sure, a large portion of the problem comes from ISPs implementing SPEWS incorrectly - silently dropping all IPs listed, not just tagging level 2 and dropping only level 1 (confirmed spammers), and the spammers have created this problem themselves. However, SPEWS' "list 'em all, let God sort 'em out" approach is irresponsible, particularly when they know that ISPs are applying the filtering with a wide brush.

your ISP has explicitly signed up to SPEWS because it works. it works because it encourages ISPs to be RFC compliant. it's for the greater good: i don't *care* if it breaks your email to your mom on a blacklisted ISP: it's your ISP's business decision to ignore spam complaints and become spam-friendly. natural selection says their customers get pissed off (step one: looks like it's working so far) and then jump ship to an ethical ISP. eventually the spamhauses go bust.

[SPEWS] operate[s] on the "nuclear bomb" method: list spammers, plus anyone using a "spam-friendly" mailserver (a definition that can be stretched to cover almost anyone) or anyone who is simply suspicious." Oh, and you might also be listed if your new IP block was once used by a spammer. Don't worry, though. You can just wait a few weeks and lose massive amounts of buisiness because many customers can't recieve email from you and have no idea why - they just think you aren't responding. Or you can go onto NANAE and post a delist request, which will get you nothing but "Whiner! Eat your SPEWS, it's good for you!"

Incorrect characterization of SPEWS methods. From my own personal observations, a SPEWS listing starts out with the spammer's IP addresses based on spam received at multiple spamtrap accounts. Complaints are filed by the people who run the SPEWS list and, of course, they do not identify themselves as SPEWS operators in those complaints. Some time elapses (I'm not SPEWS, how should I know how much time exactly?). Either the spammer is removed (Yay! The listing drops off the list) or the complaints go ignored and more spam is received at the spamtrap accounts. The listing gets widened to the/24 in which the spammer space is included (this may happen immediately in the case of a spammer identified by Steve Linford's ROKSO (Registry of Known Spam Organizations) at spamhaus.org [spamahaus.org] (may be difficult to reach due to the Slashdot effect or DDoS by virus)).

Lather, rinse, repeat the above until someone at the responsible ISP who received the original complaints wakes the fuck up and notices the situation, usually after their own customers are screaming at them, asking them to fix the problem that got them blocklisted. Then again, this is all laid out in the SPEWS faq [spews.org] in fairly clear, easy to understand language.

If ISP's are dropping mail from both level1 and level2 listings, they've made their own bed and are now laying in it. Only an idiot would block on level2 listings as they are meant as an historical indicator of problems with an ISP and do age off after an indeterminate period of time, again outside my control or knowledge.

SPEWS is the only thing thus far in the war against spam that actually has an effect at the ISP level to get some of these outfits to wake the fuck up and see what's happening in their own abuse@ mail accounts. ISP's think they can continue to shine on the spam problem, thinking they have no responsibility for their customers' actions. We, the users of SPEWS blocklist, say otherwise.

If I decide I don't want mail from a corner of the Internet that has sent me nothing but spam, that's my right. If I decide to rely upon the opinion of another Internet service who tracks this kind of information for themselves and elects to share it with the public, that's my right also. SPEWS works for me and mine.

You're good with the SPEWS line, there, but there's good reasons why any admin with a clue doesn't use that fucked up list.

(1) SPEWS is ineffective. It might have some effect if your goal is to drive spammers away from a given ISP, or drive customers in general away from a given ISP. But it won't significantly reduce the amount of spam you get compared to using the lists with a philosophy that involves far less collateral damage. But by using SPEWS, you WILL block hundreds or thousands of times more legiti

Better a million spammers go free, annoying billions of people, rather than temporarily inconvenience a handful of innocent domains? I'll take that inconvenience as acceptable risk for living in a world populated by asshats.

Yeah, because blacklisting has been so effective thus far, we just need to do more of it. Yeah, right. Blacklisting is basically playing a game of whack-a-mole; it makes things a bit less convenient for spammers, but doesn't seem to be doing them serious harm. OTOH, crippling the email of innocent bystanders who happen to share IP blocks with spammers seems a rather steep price to pay for something that does very little to stop spam.

Spam is a tough problem, and it's going to take more than just vigilante action to deal with it. What's needed is a two pronged approach. One prong is legal and is being followed fairly well; pass laws that make spamming illegal. The other prong, which is still under development, is to make technical changes to email so that spammers can't hide their addresses. Neither one will succeed alone- laws can't help as long as spammers can hide, and making spammers stand still won't help if there's no legal recourse against them- but the combination of the two should help a lot.

What's needed is a two pronged approach. One prong is legal and is being followed fairly well; pass laws that make spamming illegal. The other prong, which is still under development, is to make technical changes to email so that spammers can't hide their addresses.

First, I don't share your glee about current laws and the direction they are taking. I fear email will end up like broadcast radio and TV - only people who pay big bucks to the government will be alowed to run a mail server. The

"blacklisting" in this article refers to completely block an ip address.
This is not a "bad idea", but complete nonsense. First time I've heard of something like that. This is not to be mistaken for using an open relay blacklist or similar, which only blocks mail from a certain address.
I bet those "network administrators" clicked on some fancy "block site" button, not knowing what they were doing...

The fact that a strategy (such as blacklisting) can be mismanaged and that it is not invulnerable to abuse does not necessarily make it a "Bad Idea". It just means it needs to be managed more carefully, and better secured from abuse.

Why is the blacklist being done on a domain level. Spam is usually email....so block the email address. That is simple enough to do with intrusion detection systems, some application level firewalls, and if your really bored....an access list on a router. Whoever decided to block ftp or http to stop spam was not all there. They should have stopped smtp traffic from there instead and been done with it.

Black listing of spammers is a good idea, we just have to make sure we are only blocking them and not innocent bystandards.

I'm assuming that by "running your own SMTP server" you mean you're running one at the end of a DSL line or similar. If so, why don't you use your ISP's server as smarthost and relay through them? Avoids DSL/dialup/dynamic blacklisting, and reduces the strain on your server. Win-win, surely?

In addition to amw's excellent point, it's also an issue for people who roam between different dial-up ISPs (for a time, for instance, I largely used a local ISP but had Bellsouth.net as a backup. When I visited a friend in CT I'd dialup her ISP.) Most email programs want to use a single SMTP server, or choose one on the basis of outgoing email address (insane, but...) It's infinitely easier to just switch on sendmail in the default configuration offered by most distributions (smarthost for localhost, other

If so, why don't you use your ISP's server as smarthost and relay through them?

Why don't I use my ISP's mail server? Because:

My ISP's mail server sometimes takes as much as 3 hours to deliver a single email

Mail sometimes gets lost entirely, and without access to logs I have no clue what happened

I have a host with TCP/IP abilities just like everyone else. Just because I'm not paying thousands of dollars doesn't mean I can't establish a port 25 connection to another host. I resent the drive by industry to segregate connectivity based on service class (consumer/business). TCP/IP knows no such labels.

Amen! This is a perfect example of one of many serious threats to end-to-end transparency in the Internet. Between greedy service providers like Verisign that would break end-to-end for their own financial gain and overzealous and ill-conceived antispam mechanisms like dialup blacklisting, the end-to-end principle that made the Internet great is now in very serious jeopardy.

I don't know what can be done other than to find and promote better ways to fight spam at the endpoints, and to scream whenever an IS

Yeah, I have a similar problem. I found that when I sent mail using my ISPs SMTP server (i.e., Comcast) it would go through fine. However, I also found that Comcast's SMTP server is unreliable: either it's down or it accepts messages and then eats them whole. Anyway, I set up a mail rule to route any AOL-bound messages through Comcast and everything else is routed directly to the destination host. That way I'm only dependent upon Comcast for mail going to AOL.

Thanks for the info. The idea of a blacklist of blacklists isn't a bad idea at all.

I had this happen at work. The marketing group is responsible for administering the mail server (don't ask me how that happened) and as of last Thursday about 95% of outgoing mail was being rejected by the server. It was configured to send mail direct to the remote host, bypassing the ISPs SMTP. Apparently a whole lot of domains are now blocking unrecognized SMTP transfers (there was something in the news about it). I

It's not just AOL. I hit this today sending mail to my webmail account at linuxmail.org - run by Outblaze. I get an SMTP 554 pointing me here [outblaze.com].

I've been running my own SMTP server for a couple of years now, because it gives me control, because I get to learn how mail works hands-on, and because I don't have to rely on my ISP's mail server (they run Exchange) Looks like it's not going to be possible anymore.

Speaking as someone who fights spam for a living, effective blocking requires a combination of techniques. You need to filter on sender (both envelope and From:), sender domain, sender IP, and content filters.

Your statement that whoever decided to block ftp or http was not all there completely misses the point, I think. If a site is known to spamvertise, blocking *all* traffic to/from that site is actually a pretty good idea. Why? Consider why spammers send spam: to generate traffic to a web site, an email address, a phone number, some way to contact that. Since they know any email address they use to spam probably won't last as long as fart in a room full of air purifiers, the contact link is usually URL, whether by domain name or IP address. If they spam and you put in a filter for that spam, they may never get that spam through again, but they may still get some buyers from among your (stupider) customers. However, if your policy is to block all traffic to/from that IP address, they get zero traffic and zero business from your netblock and you really hit them in the wallet.

Verio's idea is good, but someone dropped the ball on implemenation in this case by not checking the facts before blocking.

What I'd like to know, though, is why the author of the article uses an ISP as bad as Noos. They sound so bad they make even wanadoo.fr (gee, speaking of spam!) sound good in comparison. Someone at Verio apparently made a mistake, but if so many people at Noos weren't so incompetent (did the PHB character come from their, I wonder?) the situation probably could have been resolved in a day or two.

Your statement that whoever decided to block ftp or http was not all there completely misses the point, I think.
Allow my to explain my self better. I meant that blocking FTP and HTTP just because a site is reported to spam is not a good idea. While I don't fight spam for a living, I do regularly write filters for email worms on my company's IDS though. We have to be careful that we only filter out the unwanted and nothing else. There should have been at a bare minimum, 1. A check to guarantee that the

Use some common sense editors when presented with a story that seems unusually slanted please take it at face value. This is why corporations such as verio need to be made aware of their policies not working not that black lists do not. Blacklists are the only thing that works against spammers and they know it. So how do they fight back by using the blacklists against regular sites to try and disrupt users service so that people might think twice about using them.

Instead this article should be title "Why Blacklist Do Work" and what spammers are doing to try and disrupt them.

value. This is why corporations such as verio need to be made aware of their policies not working not that black lists do not. Blacklists are the only thing that works against spammers and they know it.

I only started to see a serious reduction in the amount of spam being sent to mailboxes I don't maintain (ie my Yahoo! address, etc) when the ISPs concerned started using baysian type techniques and other systems based upon filtering the content. I do, personally, have an extremely successful spam fightin

From the article: My ISP has a partnership with Verio to handle its traffic in the U.S. When Verio blacklisted Smart Mobs, any request from Noos went unanswered -- sorry, there was the (in)famous 404 error.

I want to be sure I understand this correctly. Verio wasn't (only) discarding mail from Smart Mobs, because they thought it was spamming site, they were refusing to pass through http (or other) connections to it?

Discarding mail is one thing, but blocking an IP address is quite another. What's the justification for this? To prevent the (supossed) spammer from profitting from the spam, by preventing anyone from connecting to it to (presumably) buy the product touted in the spam?

Discarding mail from a spammer can be justified, by, among other things, the argument that spam mass-mailings strain system resources. But connecting to sites happens all the time -- an ISP should should be set up to handle that traffic, and can traffic to sites touted in spam really increase the volume that much?

To me, this seems like a dubious policy on Verio's part -- even without the problem of mis-identifying sites as in the case of Smart Mobs.

can traffic to sites touted in spam really increase the volume that much?

It's not about saving bandwidth -- it's about taking away the spammer's source of income. If you block email from a spammer, you've wasted a minimal amount of his time, and he'll quickly move to another mail server. If you take out his web site, he can't sell anything online.

Discarding mail is one thing, but blocking an IP address is quite another. What's the justification for this? To prevent the (supossed) spammer from profitting from the spam, by preventing anyone from connecting to it to (presumably) buy the product touted in the spam?Bandwidth costs.

When you can completely block a rogue IP/network/country/etc from accessing your network at all, you save that network cost.

You also cut out the processing time that filtering would have used up, in a more efficient way.

Your missing the point that the most effective and cheaest to impement method of blocking an address is what we call null routing. Pretty much you inject routes into whatever routing protocal your using and have them go to the bitbucket. It's very fast and efficient as you can update all your routers automaticaly in seconds and it's very friendly to there resources as routing is what they do well not running ACL's etc.

I left an HTTP proxy on on an open port - on the same machine that does SMTP. I didn't even know that spammers could relay via an http proxy using a PUT to the local SMTP server. mea culpa.I fixed it in 3 days (too long, I know).I contacted mail-abuse.org and submitted a removal request. It took them 2 weeks to take me off the list.

It frustrates me that their site is so unresponsive to removal requests, and that they fail much of their process. They were supposed to send email at several stages, which they did not do. The email they did send was badly formatted (broken urls, urs that weren't relevent).

I won't ever use an RBL because they just don't seem responsible.

Yeah, I know - pot kettle black. But I'm not supplying a service to thousands of users.

That said, you left a relay open for 3 days, and potentially tens of thousands of spam emails, and you are going to sit their and complain that it took two weeks for you to be removed from the black list? What about all the individual admins that added you to their personal blacklists and just never bothered removing you?

It frustrates me that their site is so unresponsive to removal requests, and that they fail much of their process. They were supposed to send email at several stages, which they did not do. The email they did send was badly formatted (broken urls, urs that weren't relevent).

Almost all of the RBLs are run by private individuals who make no money for their efforts. Why do you believe that they owed you anything? All that you did was make work for them by your misconfiguration of your mail server. They don't owe you nicely formatted e-mails, prompt responses, or open lines of communication.

Yeah, I know - pot kettle black. But I'm not supplying a service to thousands of users.

...that you're perfect, and have never done anything ill-informed, spiteful, purely accidental, or just plain stupid. Therefore, you can tell people not to fuck up in the first place, because clearly the rest of us just aren't trying hard enough.

The rest of us, sadly, aren't interested in trying hard enough, especially if it results in as much difficulty as you seem to have in extracting your cranium from the depths of your large intestine.

It didn't seem like the OP wasn't willing to accept the consequences of his actions. It appeared to me that he felt the consequences were unreasonable.

Actually, he said that the consequences were reasonable:

"That said, I do agree that two weeks isn't an irrational amount of time for this."

His argument seemed to be that the persons running the RBLs, primarily on a volunteer basis, had a "responsibility" to hop to it and keep them accurate and up to date. I disagree. By and large, they are being good sama

They've been in use for over five years now and spam is more prevalent than ever. They're ineffective and should be put to rest.

And AIDS drugs are in widespread use and AIDS is far more prevalent than it was in the 1970s. Did it ever occur to you that the spam problem would be worse without RBLs and other anti-spam activism? Your lack of logic is astounding.

{snip}Scelson also testified about how some Internet access providers signed little-known agreements, called "pink contracts," with known spammers to allow them to send mail in bulk, at prices higher than other commercial clients were charged.

Leaving a proxy open for raping by spammers doesn't make you a bloodsucking demon, but it is definitely grounds for having your IPs locally blocklisted.

It frustrates me that the http proxy:1. Didn't warn me that this was an issue upon install2. **Allowed this to happen at all**

I have submitted a bug to the developers. This is a known issue, though I'd never heard of it before, nor had 2/3rds of my geek (professional programmers, recreational sysadmins - which describes myself as well) friends. If http

Someone anonymously submitted our MS Exchange server (I don't blame em *grin*) as a spam relay, despite the fact that it is not. As said in the original post, they didn't even check the server they just blacklisted it.

The first thing we know about it is when members of staff come to us and complain that they are getting error messages such as 'denied' when trying to email important people.

Sigh.. in fact I have that very same problem waiting to be tackled when I get back on Monday morning. And its always such a ballache to get your mail servers removed from these block lists...:(

A fairly high-profile example of this was when (now defunct) ORBS announced that all of above.net was an open relay a few years ago (in response to above.net blocking network scans from ORBS). A mention of how it blocked the PHP mailing list is here [phpbuilder.com].

6 months later, its proponents were telling people the same thing - "every entry was verified an open relay" (here [ornl.gov])

Of course, these lists can be workable when combined with a system such as spamassassin, which uses them to weight whether or not a message mi

The real issue, however, seems to be this guys ISP. I mean honestly, what the hell is wrong with them? If I had called Speakeasy with this sort of problem, it would have been taken care of that day.

Exactly, what kind of 2 bit ISP is he dealing with anyway? Why when this happened did he not instantly start shopping around and then demand to speak with a manager and tell them that unless they got a clue about the diffrences between protocals that he was leaving?

Why when this happened did he not instantly start shopping around and then demand to speak with a manager and tell them that unless they got a clue about the diffrences between protocals that he was leaving?

Actually you are right. The real problem is people willing to put up with shitty customer service. If enough people stopped putting up with it, and did switch, we might actually see some corporate changes.

When my last ISP gave me crap about a similar problem, I immediately started looking for a new IS

I have an earthlink.net account and a couple of weeks ago I was issued an IP address in the dreaded slashdot BANNED! file. Pity poor me, getting the big orange screen telling me about the terms of use and how, as a BANNED! IP addy, I was unable to even read them. Fortunately, the evil orange BANNED! page quoted me a few of the offenses that might have gotten 'my' IP banned. I must have spammed the input queue or posted a PWP (page widening post) or somesuch.

Of course, it wasn't me. It was some other Earthlink customer who, sometime in the past, was issued that same dynamic IP address and committed the unpardonable offense. That customer has moved on to a new IP, but/. never forgets.

It was hell. I spent *hours* unable to access/. -- can you imagine the suffering that such a fate would cause *you*??!

Eventually, I was issued a new IP address from earthlink and was back online as the ageless Sun Tzu once more. But I still live in fear that someday, perhaps when I least expect it, the evil orange BANNED! page will return to haunt me. This is the personal hell that I inhabit and it is here that I shall remain, until I get a clean static IP address of my very own. I live for that day.--Send us your Linux System Administration [librenix.com] articles

Back when they issued CybrSurfr cable modems, the DHCP server assigned you an IP based upon the MAC address of your NIC. If you wanted a new IP, all you had to do was ifconfig yourself a new MAC, do a network restart, and voila... Brand new IP, usually in a totally different/16 and occasionally in a different/8 (24.0.0.0/8 vs 6x.0.0.0/8).

He probably could, but unfortunately he'll probably get the same IP address. From the RFC:

If an address is available, the new address SHOULD be chosen as follows:

The client's current address as recorded in the client's current
binding, ELSE

The client's previous address as recorded in the client's (now
expired or released) binding, if that address is in the server's
pool of available addresses and not already allocated, ELSE

The address requested in the 'Requested IP Address' option, if that
address is valid and not already allocated, ELSE

A new address allocated from the server's pool of available
addresses; the address is selected based on the subnet from which
the message was received (if 'giaddr' is 0) or on the address of
the relay agent that forwarded the message ('giaddr' when not 0).

In my experience, most DHCP servers keep giving the same MAC addr until that mac addr can't get the old IP it used to have. So you have to go offline, wait until the time expires, hope someone else got your IP, log back on. Lather, rinse, repeat.

It's why it's as long as I don't turn my servers off for more then the DHCP least time, I always have the same IP address.

So the question presented by this article would be "WHY is blacklisting spammers a bad idea?" Unfortunately, it doesn't answer the question.

The blurb mentioned by the article submitter is the entire coverage of any such activity. The rest of the piece then goes on to complain about the user's ISP. Those who haven't RTFA'd can feel comfortable in skipping this one.

I'm sure this submission will provide nice fodder for expressing annoyance over spamming and horror stories of "collateral damage". But then - we've had plenty of those before. It would have been nice if an article had provided some framework around this kind of conversation.

Still - to have the whole domain rejected because of BS is wrong, IMO.

I agree, if by "BS" you mean dubious reports of spam-friendlyness. However, I have no problems with blocking mail or all IP traffic in general from known crime-ridden providers (such as Cogentco, Verio, Qwest or any ISP in South America).

The good it does is far outweighed by the bad. Just like everything else in life, mistakes will be made. You can have a problem with the process to correct mistakes, but advocating RDNS blacklisting should go away doesn't make sense.

The thing we all forget is that spammers are human. If a single address is being blocked, then they change the addresss. If they are spoofing, there's a chance you can incorrectly block a whole domain because of one idiot who setup an open relay. Case in point, at work, all e-mail on the.biz top-level domain is blocked because of the amount of spam taht is recieved from it. What if someone we'd like to do bisness with is on that domain? Alot of the typical comapnies you do musiness with have the.com tied up but if your starting a new business, sometimes the only one available might be the.biz. I personally have given up and try to filter as much as I can knowing that even that won't help.

This is totally off topic and I hope it gets modded as a troll or -1 Ignorant.

But... the Noos web site really pissed me off. The fronsay is no big deal, je le parle comme tout le monde. But what is the deal with the animated text, the little blinking lights saying 'clickez ici, you big dumb user you', the text highlighting gizmo, and that terrible, terrible logo that looks like a genetically-modified O with extra ears.

Yep, I am tired of getting the dreaded pink slashdot screen (DPSS), after hitting several times F5 it loads the page correctly (weirdly developers.slashdot.org is the hardest to bypass)Why/. bans spain?Yep I know my evil "isp" hijacked the internet and put a transparent firewall but I CANT switch "isp" there is only one "real" adsl provider in spain Telefonica, the other ones are resellers of the same product./. ban on spain lame(I tried once emailing/., one of the addresses listed in the DPSS, but to no

They're not related to teleline.es are they? The ISP that at least once (they've been blocked on my domains for ages) sent around an email saying 'don't worry if other ISPs have blocked you for spamming.. join us and we'll let you spam all you like'.

To get kicked from Verio, you have to burn down a network center or something like this. About 500 mails from users to abuse@verio.net for one spamvertized website netmails.com [google.de] and no action taken ==> They do nothing against spam. They tolerate spam.

I'd have to say this is pretty rare. That's just bad policy. At the ISP where I work it takes multiple offensives and the offending ISP has to either not respond to our multiple complaints for over 30 days or flat out refuse to do so. At such time we will blackhole them.

Personally I see this more as an overzelous or undertrained staff at one ISP. I haven't heard too much of this happening myself. I think the biggest issue with blacklisting is when you end up blocking say a/16 or something because som

Based on this story, it seems Verio decided to block the presumed source of spam by means of the routers. That's a rather extreme measure. Doing such things in routers, whether by access list, or by blackhole routing table entry, is not nearly as easy, and does not scale as well, as blocking at the receiving mail server. But they may have wanted to do so because so many mail servers are run by clueless people that can't configure their way out of a paper bag.

I block spam source at mail servers, not routers (except in very extreme cases, but there are current none blocked at routers). That gives me the option to whitelist specific senders and/or specific recipients. So I'd say the real issue he is not that blocking/blacklisting spammers is bad, but that blocking them in stupid ways that lose control is what is bad.

Blocking spam and spam sources should be an end-point decision. There are risks in blocking, and different people have different needs and different sensitivities to that risk. Even your own ISP shouldn't block spam for you unless you agree to it with the understanding of how they are doing it. The best solution is for you to have total control if you wish, particularly in the ability to whitelist, and even blacklist, specific exceptions you want. Those who don't know the details of how this is done would have to delegate that to someone (such as their ISP).

Even content based spam filtering can be broken. What if my girlfriend sends me mail telling me what she's going to do with certain parts when she comes over tonight. I sure would not want that to bounce. Of course I can whitelist her email address (and hope her computer doesn't get infected by some spamming virus).

Blacklisting spammers is good... when done right. Verio didn't do it right.

To me at least, is AOL's decision this year block mail from 'cable modem' address space. As someone who runs his own servers, I am now forced to smart-relay through my ISP...which adds all types of problems, their incompetence at properly configuring *THEIR* servers at the top of the list.

Yeah, I'd like to say to the AOL users on my lists 'tough luck', but I cannot do that.

There are only a couple of possibilities here. One, you are running your own server on a consumer account with a dynamic IP address, in which case you are likely in violation of your AUP, or two, your ISP is utterly clueless and has put their static IPs in the middle of their dymanic range.

I understand the reasons for blacklisting ( I won't argue about the due process issues in which some people get wrongly blacklisted or find it hard to be un-blacklisted). Blocking evil senders of spam is good, even if some people are overzealous. But the situation here is the recipient was prevented from accessing data that they wanted.

If I, the requestor and recipient of communications, want web pages, e-mail, etc. from a given domain, why shouldn't I be able to get them? Since when is the ISP in loc

A very similar thing happened to me. I run a reseller hosting account for myself and my clients on a machine with a few hundred other reseller accounts (and therefore probably thousands of domains). Somebody using the server either sent or was reported to have sent spam to somebody with an AOL address. It was reported, and AOL started refusing any email directed to any AOL account.

This created havoc for myself and my clients (and everybody else on my server, and one other server run by my hosting provid

Verio doesn't blacklist spammers. Verio HOSTS spammers. Verio is friends with spammers. Verio has a long and storied history of supporting spammers, so I think it's far more likely that Verio got blacklisted and not the other way around. This guy should have switched ISPs but he completely misunderstood what happened here - he thinks that Verio is blocking him from viewing some random web site. What actually happened is Smart Mobs' ISP blacklisted Verio, probably with good reason.

First, it's obviously a bad idea to block all IP traffic for an entire netblock (except under extreme circumstances -- attacks, for instance).

Spam is a huge problem, and there are some very effective DNSBL's (DNS blocklists) out there that can let a mailserver reject mail coming from a certain IP address. There are many different DNSBL's out there, and each has their own policies on what IPs they will list, how they will de-list, etc.

I don't like DNSBL's that list IPs based on non-spam related criteria. Examples include: country/continent of origin and service class (consumer vs. commercial). Blocks based on such criteria just divide the Internet, and don't even take into account where spam is coming from. I think it's a slap in the face of the Internet for a company to say, "I'm going to block all traffic from dynamic IPs, because they are not commercial connections".

Then there are the blocklists that block IPs that send spam. I like this approach because the lists are designed to block what I don't want; spam. sbl.spamhaus.org blocks regions of the Internet that perpetually send spam. blackholes.easynet.nl similarly list established spam sources. relays.ordb.org and list.dsbl.org block open relays and proxies that were found to be points of abuse.

While I feel sorry for those who are innocent victims of
blacklists, I cannot also ignore the most of
the spam comes from a only few IP addresses.

Over the past 6 months, some 65% of spam (and
spam attempts) that my ISP received came from
less than 0.16%
of the assigned IPv4 address space.

Almost 2/3's of
the spam we saw was sent over SMTP connections from
one of 77 CIDR blocks (ranging from/16 to/30 in size).
These 77 CIDR blocks represent less than 1/6 of
1 percent of the assigned IPv4 address space.

BTW: The CIDR list growth factor is not much
when you move from the 65% level to the 90% level.

... your stats may vary.:-)

Spam is truly a world wide problem.
Those 77 blocks, by national/region, break down as follows:

1 Australia

1 Belgium

8 Brazil

1 Canada

8 China

3 Dominican Republic

1 Spain

1 France

1 Israel

1 Italy

1 Japan

15 Korea, Republic of

3 Mexico

1 Poland

1 Russia

2 Thailand

3 Taiwan

25 US

The above list is provided for the curious.
I do not recommend that people block IP
addresses based on the hosting country.

"Yes, Virginia", a few IP address blocks
do transmit most of the spam.

I love hearing these "horror stories" about people listed by some well-known DNSbl like SpamCop or SPEWS, telling us how unfair it was and how impossible it was to work with the list maintainers, but they never provide any details so we can't investigate their case.

Of course, in one case a company did provide extensive details that, when looked into, showed that their listing was perfectly justified.

Thus, there is a fine line between what the governing body considers spam and what I do.

Spam is very clearly defined. It is unsolicited, impersonal (having a bot that tries to tack on the recipient's name based upon their USENET postings does not count) e-mail sent as a means of advertising (whether for commercial or non-commercial purposes is irrelevant).

Comparing false-positives in spam-detection tools to political censorships is a stretch at best.

No, it's a great idea, and the only technological response to what is a social problem. In the case of collateral damage, it lets the sender know that there is a problem with their network, so that they can do something about it.

Blacklisting gives one entity, such as an ISP, the ability to censor what others can read

Wrong. The fact that the ISP can do it means that they already have that ability (by definition.)

True. My own mail server checks several spamblocker services, and since I run IMAP it simply moves any possible spams into network-wide SPAM folders for each account. I also run Mozilla, and I have it configured to do the same thing. Consequently, my Inbox has very few spams in it, but if I suspect that an important mail may have been incorrectly categorized I can find it. Periodically I blow away the spam folder.